Alastair is a specialist in the operational requirements of cyber and data security. He has over 20 years’ experience in creating and auditing governance frameworks relating to technology. This includes policies, procedures, and management controls.
Should companies get cyber accreditation?
It’s something I would always think about, though it depends on the need as there are different types of accreditations, different time frames and different costs. Getting cyber accreditation, especially where it’s verified by a third party, is like telling the outside world – clients, or prospective clients, “Look, I’m taking cyber seriously. We’ve made the time, the effort, and the resource to go and get things set up properly to put the right controls in place and then get these accredited.” I think it’s something that all companies should consider.
What are the benefits to an organisation of completing cyber accreditation?
Completing cyber accreditation can bring several benefits to an organisation. First and foremost, it can enhance your firm’s cybersecurity posture, protecting against cyber threats and attacks. It can also improve your reputation and credibility, demonstrating to clients and partners that the business takes cybersecurity seriously. We’re finding more frequently that clients are getting questionnaires from potential customers saying, “Please can you prove to me that our data is secure, and you are cybersecure” – in many cases they can just show their cyber accreditation.
Cyber accreditation can also help you comply with regulatory and contractual requirements and can help with cyber insurance renewals.
What are the different certification options open to me?
There are several cyber accreditation options available for businesses seeking to improve their cybersecurity posture. You’ve got to think about the size of your organisation and the need for doing it. Here are some of the popular ones:
- Cyber Essentials: This is a UK government-backed certification scheme that provides a baseline of technical cybersecurity requirements for organisations. It covers five key technical areas: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. Cyber Essentials Plus is a higher level of certification that involves independent testing and assessment of an organisation’s cybersecurity controls.
- IASME Governance now IASME Cyber Assurance: This is another UK government-backed cybersecurity certification scheme that covers a range of areas, including risk assessment, incident management, and data protection. It includes a self-assessment option and an independent assessment option. This builds on Cyber Essentials and in effect provides a working security framework to guide organisations to assure information security against a number of threats.
- ISO 27001: This is a widely recognized international standard that provides a framework for implementing an information security management system (ISMS). It covers a range of areas, including risk assessment, security controls, and incident management.
And how much am I likely to pay and what is the management overhead required?
The costs vary depending on the size of organisation, and your set up (number of sites, devices etc..) For Cyber Essentials, it’ll be around £400 to £500 plus VAT. There’s around 80 questions to fill in, and your IT may have to help you with some of those.
For Cyber Essentials Plus the pre-requisite is to pass Cyber Essentials so the previous costs apply, adding up to around £1,500 to £2,500 plus vat. There’s a few days needed for the assessment too.
Cyber Assurance, the self-assessment one, starts at about £400 to £500 plus VAT. If you move up to the level 2 verified or credited version, that could be into several thousands of pounds depending on what you’ve already got in place and the gaps you have.
Jumping to the full-blown management system with ISO 27001, you’re probably looking at £15,000 plus. ISO 27001 is really quite onerous in terms of resource and time.
Management time increases across these certifications because they get more complex and more time consuming but, as a result more thorough. You’ve got to balance up the cost with the time involved.
So, can a cyber accreditation make me cybersecure?
It helps but it isn’t everything. With things like Cyber Essentials you look at five basic technical controls, which you can imagine being sort of like 5 walls of your castle. That stops a lot of the basic cyberattacks, the automated-type stuff. It doesn’t stop the targeted ones or those caused by human error. If you advance to getting IASME Cyber Assurance, that looks at your people, your policies, and your processes. If you haven’t got those people and processes in place, you’re going to have security gaps.
Getting accreditation itself doesn’t make you cybersecure. For example, we’ve seen a number of firms with Cyber Essentials, but we typically find gaps in the five areas assessed by CE. For us it’s about making sure those are continually secure e.g. If you say you are patching devices within 14 days, that’s what you must do. You need to make sure your IT firm are doing that for you to that time scale.
There are other things beyond these technical controls that you need to think about around people. People are always the weakest link. So again, things like policies, guidance, education – training in terms of cyber awareness. Not just training but: training with a test to see what’s been retained and make sure people are competent and they actually understood it.
So what would be your “first step” advice to a company considering improving their cybersecurity?
You’ve got to start with a vulnerability assessment. Get an understanding of where you’re at in terms of your people, technology, operations, and processes. At Mitigo we talk to key people in key roles to understand not just what they do, but how processes are actually performed. Do staff understand their role in cybersecurity? Of course, the other thing to look at in this assessment, is technology. Are your devices configured as securely as you think they are? With regards to your network setup, we see lots of gaps around remote working. So really this first step is a gap analysis that gives you a road map to look at the vulnerability actions. You then start with the critical and the high-risk ones first to get yourself more cybersecure.
And finally, what accreditations services do Mitigo provide and why?
Mitigo is a cybersecurity company that focuses on vulnerability assessments and providing cyber security services. As part of this we can offer all the certification that I’ve described. We’re a certification body under IASME. So we can offer things like Cyber Essentials, Cyber Essentials Plus, and we do the IASME Cyber Assurance. We can also help with ISO 27001 Information Security Management Systems. We offer certification for a range of reasons but often clients need a certification for a contract or to be part of a specific supply chain.